Iljitsch van Beijnum wrote:
Isn't someone more eloquent than I going to point out that that spending
a lot of effort eliminating homographs from DNS to stop phishing is a
security measure on par with cutting cell service to underground trains
to prevent bombings? It focuses on one small vulnerability that phishers
exploit, and "fixing" this one vulnerability just may make things worse.
If you make a bunch of assumptions
Well, that's just it. There are a whole ton of assumptions here.
That the name that pops up in the navi-bar kinda-maybe-looks-sorta
like the site you think it should is just one of many and may
not even be the weakest.
> (SSL certificate chain is ok,
Yeah, make sure Verisign isn't issuing "Microsoft" certificates
to someone who isn't Microsoft again. And hey, can we play
homograph games inside of X.509 certs too!? Fun!
> binary is trustworthy, etc)
Plus, you have to trust DNS, which means you have to trust:
1) the root
2) the gTLD
3) the authorative servers for the domain
And for 99% of the users out there,
4) the caching servers for their ISP/employer/other access
provider
That is, trust that they are not actively malicious nor have been
exploited by some new or old cache poisoning trick, had a bogus
registrar switch (like Panix's recent experience), etc.
you can be sure that when it says https:// www.blah.com/ in your browser, you're actually communicating with the entity holding the name www.blah.com in a secure way. So when something
that looks exactly like www.blah.com is in fact different from www.blah.com, that's a pretty big deal because it breaks the whole system.
Assuming the system works. SSL doesn't really work now since
so many users reflexively click through warnings about bad
certificates.
And while we're at it, does any of this fix whether any of
the following,
www.blah-inc.com
www.blah.net
www.blah.biz
Might trick a user into thinking he's connected to the same
entity that owns www.blah.com?
> So how would fixing this make things worse?
Wrong question. How will fixing this one problem make things any
better? If almost none of the phishing emails I get now bother
to play these kinds of games today, how much does this really help?
Yeah, if it's easy, go ahead, but as the mere existence of this
thread seems to indicate this is not an easy problem. I worry that
like many of the other spam-related problems while we have a lot of
very smart people like yourself thinking hard about how to prevent
abuse, we may just be rearranging the deck chairs on the Titanic.
It may be time to head for the lifeboats, let this ship go down, and
start building a new, better boat now that we better understand the
threats.[0]
> And what else
should we be doing instead?
Many things, perhaps the two most important "we" can do:
1) Pounding it into the users that you don't ever trust what it
says in the navigation bar unless you typed it there yourself.
Corrorlaries: (a) When following links on webpages, your level
of trust should only be that of the least trusted page in the
chain of links. (b) NEVER EVER, EVER, EVER trust a link in an
unsigned email.
2) Pounding it into merchants, banks, etc., to make sure they never
ask their customers to violate (1).
But sorry, I do not have all of the answers either.
[0] Perhaps a better analogy is that by "cleaning up" DNS, we are
trying to prevent the iceburgs. We should be letting the indvidual
merchants, banks, and other secure sites, the ships, make their
own schemes for avoiding them. We could be helping them build stronger
ships, something better than today's SSL, and mapping out where the
iceburgs are, figuring out where they need to balance convenience
versus security, than trying to clear the seas of all possible hazards.
That's exactly the point: DNS tricks won't buy you anything (except denial of service) in the presence of SSL.